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Abstract. We propose a framework for reasoning about unbounded dynamic networks 
of infinite-state processes. We propose Constrained Petri Nets (CRN) as generic models 
for these networks. They can be seen as Petri nets where tokens (representing occurrences 
of processes) are colored by values over some potentially infinite data domain such as 
integers, reals, etc. Furthermore, we define a logic, called CML (colored markings logic), 
for the description of CPN configurations. CML is a first-order logic over tokens allowing 
to reason about their locations and their colors. Both CPNs and CML are parametrized by 
a color logic allowing to express constraints on the colors (data) associated with tokens. 

We investigate the decidability of the satisfiability problem of CML and its applications 
in the verification of CPNs. We identify a fragment of CML for which the satisfiability 
problem is decidable (whenever it is the case for the underlying color logic), and which is 
closed under the computations of post and pre images for CPNs. These results can be used 
for several kinds of analysis such as invariance checking, pre-post condition reasoning, and 
bounded reachability analysis. 



1. Introduction 

The verification of software systems requires in general the consideration of infinite- 
state models. The sources of infinity in software models are multiple. One of them is 
the manipulation of variables and data structures ranging over infinite domains (such as 
integers, reals, arrays, etc). Another source of infinity is the fact that the number of 
processes running in parallel in the system can be either a parameter (fixed but arbitrarily 
large), or it can be dynamically changing due to process creation. While the verification 
of parameterized systems requires reasoning uniformly about the infinite family of (static) 
networks corresponding to any possible number of processes, the verification of dynamic 
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systems requires reasoning about the infinite number of all possible dynamically changing 
network configurations. 

There are many works and several approaches on the verification of infinite-state sys- 
tems taking into account either the aspects related to infinite data domains, or the aspects 
related to unbounded network structures due to parametrization or dynamic creation of 
processes. Concerning systems with data manipulation, a lot of work has been devoted to 
the verification of, for instance, finite-structure systems with unbounded counters, clocks, 
stacks, queues, etc. (see, e.g., |AvJT96[ IBEM971 IWB981 IBoi99[ I^^BOOl IFSOTI WL02\ ). On 
the other hand, a lot of work has been done for the verification of parameterized and dy- 
namic networks of Boolean (or finite-data domain) processes, proposing either exact model- 
checking and reachability analysis techniques for specific classes of systems (such as broad- 
cast protocols, multithreaded programs, etc) |EN98l IEFM9 9. DRB02, BT051 IBMOT05] . or 
generic algorithmic techniques (which can be approximate, or not guaranteed to terminate) 
such as network invariants-based approaches [WL89 t [CGJ97| . and (abstract) regular model 
checking [BJNTOOl IBouOli IAJNS041 IBHV04J . However, only few works consider both infi- 
nite data manipulation and parametric/dynamic network structures (see the paragraph on 
related work). 

In this paper, we propose a generic framework for reasoning about parameterized and 
dynamic networks of concurrent processes which can manipulate (local and global) variables 
over infinite data domains. Our framework is parameterized by a data domain and a first- 
order theory on it (e.g., Presburger arithmetics on natural numbers). It consists of (1) 
expressive models allowing to cover a wide class of systems, and (2) a logic allowing to 
specify and to reason about the configurations of these models. 

The models we propose are called Constrained Petri Nets (CPN for short). They are 
based on (place/transition) Petri nets where tokens are colored by data values. Intuitively, 
tokens represent different occurrences of processes, and places are associated with control 
locations and contain tokens corresponding to processes which are at a same control location. 
Since processes can manipulate local variables, each token (process occurrence) has several 
colors corresponding to the values of these variables. Then, configurations of our models 
are markings where each place contains a set of colored tokens, and transitions modify the 
markings as usual by removing tokens from some places and creating new ones in some 
other places. Transitions are guarded by constraints on the colors of tokens before and after 
firing the transition. We show that CPNs allow to model various aspects such as unbounded 
dynamic creation of processes, manipulation of local and global variables over unbounded 
domains such as integers, synchronization, communication through shared variables, locks, 
etc. 

The logic we propose for specifying configurations of CPNs is called Colored Markings 
Logic (CML for short). It is a first order logic over tokens and their colors. It allows to 
reason about the presence of tokens in places, and also about the relations between the 
colors of these tokens. The logic CML is parameterized by a first order logic over the color 
domain allowing to express constraints on tokens. 

We investigate the decidability of the satisfiability problem of CML and its applications 
in verification of CPNs. While the logic is decidable for finite color domains (such as 
booleans), we show that, unfortunately, the satisfiability problem of this logic becomes 
undecidable as soon as we consider the color domain to be the set of natural numbers with 
the usual ordering relation (and without any arithmetical operations). We prove that this 
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undecidability result holds already for the fragment V*3* of the logic (in the alternation 
hierarchy of the quantifiers over token variables) with this color domain. 

On the other hand, we prove that the satisfiability problem is decidable for the fragment 
3*V* of CML whenever the underlying color logic has a decidable satisfiability problem, e.g., 
Presburger arithmetics, the first-order logic of addition and multiplication over reals, etc. 
Moreover, we prove that the fragment 3*V* of CML is effectively closed under post and pre 
image computations (i.e., computation of immediate successors and immediate predecessors) 
for CPNs where all transition guards are also in 3*V*. We show also that the same closure 
results hold when we consider the fragment 3* instead of 3*V*. 

These generic decidability and closure results can be applied in the verification of CPN 
models following different approaches such as pre-post condition (Hoare triples based) rea- 
soning, bounded reachability analysis, and inductive invariant checking. More precisely, we 
derive from our results mentioned above that (1) checking whether starting from a 3*V* 
pre-condition, a V*3* condition holds after the execution of a transition is decidable, that 
(2) the bounded reachability problem between two 3*V* definable sets is decidable, and 
that (3) checking whether a formula defines an inductive invariant is decidable for Boolean 
combinations of 3* formulas. 

These results can be used to deal with non trivial examples of systems. Indeed, in 
many cases, program invariants and the assertions needed to establish them fall in the 
considered fragments of our logic. We illustrate this by carrying out in our framework the 
verification of several parameterized systems (including the examples usually considered 
in the literature such as the Bakery mutual exclusion protocol |Lam74j ) . In particular, 
we provide an inductive proof of correctness for the parametric version of the Reader- 
Writer lock system introduced in |FFQ02| . Flanagan et al. give a proof of this case study 
for the case of one reader and one writer. We consider here an arbitrarily large number 
of reader and writer processes and carry out (for the first time, to our knowledge) its 
verification by inductive invariant checking. We provide experimental results obtained for 
these examples using a prototype tool we have implemented based on our decision and 
verification procedures. 

Related work: The use of unbounded Petri nets as models for parameterized networks 
of processes has been proposed in many existing works such as |GS92t IEN981 IDRB02j . 
However, these works consider networks of finite-state processes and do not address the 
issue of manipulating infinite data domains. The extension of this idea to networks of 
infinite-state processes has been addressed only in very few works |AJ981 IDelOll IBD02[ 
IAD06j . In [A J98j . Abdulla and Jonsson consider the case of networks of 1-clock timed 
systems and show, using the theory of well-structured systems and well quasi orderings 
|AvJT96t IFSOlj . that the verification problem for a class of safety properties is decidable. 
Their approach has been extended in [DelOlt IBD02| to a particular class of multiset rewrite 
systems with constraints (see also |AD06j for recent developments of this approach). Our 
modeling framework is actually inspired by these works. However, while they address 
the issue of deciding the verification problem of safety properties (by reduction to the 
coverability problem) for specific classes of systems, we consider in our work a general 
framework, allowing to deal in a generic way with various classes of systems, where the user 
can express assertions about the configurations of the system, and check automatically that 
they hold (using post-pre reasoning and inductive invariant checking) or that they do not 
hold (using bounded reachability analysis). Our framework allows to reason automatically 
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about systems which are beyond the scope of the techniques proposed in [AJ98[ IDelOU 
IBD021[AD06j such as, for instance, the parameterized Reader- Writer lock system presented 
in this paper. 

In parahel to our work, Abdulla et al. developed in |ADHRd7l IAHDR08] abstract 
backward reachability analysis for a restricted class of constrained multiset rewrite systems. 
Basically, they consider constraints which are boolean combinations of universally quanti- 
fied formulas, where data constraints are in the particular class of existentially quantified 
gap-order constraints. The abstraction they consider consists in taking after each pre-image 
computation the upward closure of the obtained set. This helps termination of the iterative 
computation and yields an upper- approximation of the backward reachability set. How- 
ever, the used abstract analysis can be too imprecise for some systems. Our approach 
allows in contrast to carry out pre-post reasoning, invariance checking, as well as bounded 
analysis, for a larger class of systems. Techniques like those used in [ADHROTl IAHDR08] 
could be integrated into our framework in the future in order to discover (local) invariants 
automatically. 

In a series of papers, Pnueli et al. developed an approach for the verification of param- 
eterized systems combining abstraction and proof techniques (see, e.g., APR"'"Ol] ). This is 
probably one of the most advanced existing approaches allowing to deal with unbounded 
networks of infinite-state processes. We propose here a different framework for reasoning 
about these systems. In |APR"'"Olj . the authors consider a logic on (parametric-bound) 
arrays of integers, and they identify a fragment of this logic for which the satisfiability 
problem is decidable. In this fragment, they restrict the shape of the formula (quantifica- 
tion over indices) to formulas in the fragment 3*V* similarly to what we do, and also the 
class of used arithmetical constraints on indices and on the associated values. In a recent 
work by Bradley et al. [ BMS06b] . the satisfiability problem of the logic of unbounded arrays 
with any kind of elements values is investigated and the authors provide a new decidable 
fragment, which is incomparable to the one defined in |APR+ni] . but again which imposes 
similar restrictions on the quantifiers alternation in the formulas, and on the kind of con- 
straints on indices that can be used. In contrast with these works, we consider a logic 
on multisets of elements with any kind of associated data values, provided that the used 
theory on the data domain is decidable. For instance, we can use in our logic general Pres- 
burger constraints whereas jAPR"'"Ol] allows limited classes of constraints. On the other 
hand, we cannot specify faithfully unbounded arrays in our decidable fragment because 
formulas of the form V*3* are needed to express that every non extremal element has a 
successor /predecessor. Nevertheless, for the verification of safety properties and invariant 
checking, expressing this fact is not necessary, and therefore, it is possible to handle (model 
and verify) in our framework all usual examples of parameterized systems (such as mutual 
exclusion protocols) considered in the works cited above. 

Let us finally mention that there are recent works on logics (first-order logics, or tem- 
poral logics) over finite/infinite structures (words or trees) over infinite alphabets (which 
can be considered as abstract infinite data domains) [BMS"'"06al IBDM+OGI IDL06j . The ob- 
tained positive results so far concern logics with very limited data domain (basically infinite 
sets with only equality, or sometimes with an ordering relation) , and are based on reduction 
to complex problems such as reachability in Petri nets. 
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2. Colored Markings Logic 

2.1. Preliminaries. Consider an enumerable set of tokens and let us identify this set 
with the set of natural numbers N. Intuitively, tokens represent occurrences of (parallel) 
processes. We assume that tokens may have colors corresponding for instance to data 
values attached to the corresponding processes. We consider that each token has N colors, 
for some fixed natural number A'^ > 0. Let C be a (potentially infinite) token color domain. 
Examples of color domains are the set of natural numbers N and the set of real numbers M. 
Also, we consider that tokens can be located at places. Let P be a finite set of such places. 
Intuitively, places represent control locations of processes. A A'^-dim colored marking is a 
mapping M G [N (PU{_L}) x C^] which associates with each token its place (if it is 
defined, or ± otherwise) and the values of its colors. 

Let M be a A?^-dim colored marking, let t G N be a token, and let M{t) = (p, ci, . . . , cn) 
G (PU {-L}) X C'^. Then, we consider that place ;^^{t) denotes the clement p, that color M{t) 
denotes the vector (ci, . . . , cjv), and that for every k € {1, . . . , N}, color M,k{t) denotes the 
element Ck- We omit the subscript M when it is clear from the context. 

2.2. Colored Markings Logic (CML). The logic CML is parameterized by a (first-order) 
logic on the considered token color domain C, FO(C, f2,S), i.e., by the set of operations 
and the set of basic predicates (relations) S allowed on C. In the sequel, we omit all or 
some of the parameters of CML when their specification is not necessary. 

Let T be a set of token variables ranging over N (set of tokens) and let C be a set 
of color variables ranging over C, and assume that T n C = 0. Then, the set of terms of 
CML(C^,ri,H) (called token color terms) is given by the grammar: 

t::=z\ 6kix) \ o{ti, ...,tn) 

where z G C, k G {1, • • • ,N}, x G T, and o G fi. Intuitively, the term 5fc(x) represents 
the kth color (data value) attached to the token associated with the token variable x. We 
denote by = the syntactic equality relation on terms. 

The set of formulas of CML(C^, fl, E) is given by: 

ip ::= true \ x = y \ p{x) \ r{ti, . . . , t„i) \ | V 93 | Bz. ip | 3x. (p 

where x,y € T, z € C, p € PU {±}, r G H. As usual, false and the boolean connectives such 
as conjunction (A) and implication (^), and universal quantification (V) can be defined in 
terms of true, V, and 3. We also use 3x G p. <p (resp. Vx G p. if) as an abbreviation of 
the formula 3x. p{x) A p (resp. \/x. p{x) ^ ip). 

The notions of free/bound occurrences of variables in formulas and the notions of 
closed/open formulas are defined as usual in first-order logics. Given a formula ip, the 
set of free variables in p is denoted FV{p). In the sequel, we assume w.l.o.g. that in every 
formula, each variable is quantified at most once. 

We define a satisfaction relation between colored markings and CML formulas. For 
that, we need first to define the semantics of CML terms. Given valuations 6 E [T ^ N], 
u e [C ^ C], and a colored marking M, we define a mapping {{■))M,e,i/ which associates 
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with each color term a value in C: 

{{6k{x)))M,e,v = color M,k{0{x)) 

{{o(ti,. . . ,tnyt)M,e,v = o{{{ti))M,e,u,- ■ ■ ,{{tn))M,e,u) 

Then, we define inductively the satisfaction relation \=e^u between colored markings M 
and CML formulas as follows: 



M \=0,u true 




always 




M \=0,u x = y 


iff 


0{x) = e{y) 




M ^e,u p{x) 


iff 


placej^{e{x)) = p 




M Hvr(ti,...,t™) 


iff 


r{{{ti))M,e,u, {{tm 


))M,e 




iff 


M ^e,u ^ 






iff 


M ^e,u m or M 




M \=e,^ 3x. if 


iff 


3t G N. M ^e{x^t],. 




M \^e,v ^z. ^ 


iff 


3c G C. M Hmz^c] 





For every formula (p, we define |<^|g to be the set of colored markings M such that 
^ \=e,u 'P- A formula is satisfiable iff there exist valuations and v s.t. {(pig v "^^^ 
subscripts of |= and |-] are omitted in the case of a closed formula. 

2.3. Syntactical forms and fragments. 

2.3.1. Prenex normal form: A formula is in prenex normal form (PNF) if it is of the form 

QiyiQ2y2 ■ ■ ■ QmUni- p 

where (1) Qi, . . . , Qm are (existential or universal) quantifiers, (2) yi, . . . , ym are variables 
in r U C, and (f is a quantifier-free formula. It can be proved that for every formula ip in 
CML, there exists an equivalent formula (p' in prenex normal form. 

2.3.2. Quantifier alternation hierarchy: Wc consider two families {Sji},„>o and {nri}„>o of 
fragments of CML defined according to the alternation depth of existential and universal 
quantifiers in their PNF: 

• Let So = IIo be the set of formulas in PNF where all quantified variables are in C, 

• For n > 0, let S^+i (resp. n„+i) be the set of formulas Qyi . . .ym- P in PNF where 
VIt ■ ■ iVm G T U C, Q is the existential (resp. universal) quantifier 3 (resp. V), and p is 
a formula in n„ (resp. S„). 

It is easy to see that, for every n > 0, T,n and n„ are closed under conjunction and 
disjunction, and that the negation of a S„ formula is a n„ formula and vice versa. For 
every n > 0, let -B(S„) denote the set of all boolean combinations of S„ formulas. Clearly, 
B{T,n) subsumes both S„ and n„, and is included in both S„+i and Hn+i- 
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2.3.3. Special form: The set of formulas in special form is given by the grammar: 

If ::= true \ x = y \ r{ti, . . . | -199 \ ipV if \ 3z. ip \ 3x E p. (p 

where x,y e T, z e C, p e PU {_L}, r € H, and ti, . . . , t„ are token color terms. So, formulas 
in special form do not contain atoms of the form p{x). 

It is not difficult to see that for every closed formula 99 in CML, there exists an equivalent 
formula (f' in special form. The transformation is based on the following fact: since variables 
are assumed to be quantified at most once in formulas, each formula 3x. (f) can be replaced 
by VpePu{±} ^ P- '^^,v where (j)x,p is obtained by substituting in (j) each occurrence of 
p{x) by true, and each occurrence of q{x), with p 7^ by false. 

2.3.4. Examples of properties expressible in CML.- The fact that "the place p is empty" is 
expressed by the Hi formula Vx. -^p(x). The fact that "p contains precisely one token" 
is expressed by the B{T,i) formula: (3x € p. true) A {\/y,z £ p. y = z). The Hi formula 
Vx, y € p. X = y expresses the fact that p has one or zero token. 

The properties above do not depend on the colors of the token. The following examples 
show that the number of tokens in a place is also determined by properties of colors attached 
to tokens. Let consider now the logic CML(N, {0}, {<}). Then, the fact that "p contains 
an infinite number of tokens" is implied by the 112 formula: 

Vx G p. 3y G p. 6i{x) < 6i{y) 

Conversely, the fact that "p has a finite number of tokens" is implied by the S2 formula: 

3x, y E p. V2;, u e p. Si {x) < 5i (z) < Si (y) A {Si (z) = Si [u) =^ z = u) 

3. Satisfiability Problem: Undecidability 

We show hereafter that the satisfiability problem of the logic CML is undecidable as 
soon as we consider formulas in 112, and this holds even for simple theories on colors. 

Theorem 3.1. The satisfiability problem of the fragment II2 of CML(N^, {0}, {<}) is un- 
decidable. 

Proof. The proof is done by reduction of the halting problem of Turing machines. The idea 
is to encode a computation of a machine, seen as a sequence of tape configurations, using 
tokens with integer colors. Each token represents a cell in the tape of the machine at some 
computation step. Therefore, the token has two integer colors: its position in the tape, and 
the position of its configuration in the computation (the computation step). The place of 
a token identifies uniquely the letter stored in the associated cell, the control state of the 
machine in the computation step of the cell, and the position of the head. Then, it is possible 
to express using formulas in 112 that two consecutive configurations correspond indeed to 
a valid transition of the machine. Intuitively, this is possible because 112 formulas allow to 
relate each cell at some configuration to the corresponding cell at the next configuration. 

Let us fix the notations used for Turing machine. A Turing machine is defined by 

M = {Q,T, B,qQ,qf, A) where Q is its finite set of states, T is the finite tape alphabet 
containing the default blank symbol B, go, Qf € Q are the initial resp. the final state, and 
A, called the transition relation, is a subset ofQxTxQxTx {L, R}. 
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A configuration of the machine is given by a triplet {q, T, i) where g G Q, T G [N i-^ F] 
is the tape of cells identified by their position j G N and storing a letter T(j) G F, and i is 
the position of the head on the tape. 

A transition (ci,X,q' ,Y,d) G A defines a relation between two configurations {q,T,i) 
and {q', T', i') iff either i' = i + 1 and d = RoYi' = i — l and d = L, the machine reads X at 
position i, i.e. T{i) = X, and writes Y at the same position, i.e. T'{i) = Y, and in any other 
position k different from i, the tapes T and T' arc equal, i.e. Wk. k ^ i =^ ^(^) = "^'(^j- 
The initial configuration of the machine is {qQ,TQ,0) where Tq is the tape with all cells 
containing the blank symbol B. 

Without loss of generality, we suppose that (a) the machine has no deadlocks, (b) the 
head never goes left when it is at position 0, and (c) when the final state is reached the 
machine loops in this state. 

We proceed now to the encoding of a computation that reaches the final state using a 
Ha formula of CML(N2, {0}, {<}). 

Instead of generic names 6i and 82 for color functions we use more intuitive names step 
and cell respectively. A token x with step{x) = j and cell{x) = i represents the i*'' cell of 
the j'*'* configuration in a computation. 

We define the set of places P = F x {Head, Nohead} x Q and, for convenience, we denote 
members of P by strings, e.g., A_Head-q with ^4 G F and q G Q. A token a; in a place named 
A_Head-q encodes a cell labeled by the letter ^ in a configuration where the head is at the 
position cell{x) and the current state is q. Since in a given configuration the head and the 
control state have a unique occurence, our encoding includes the property that, among all 
tokens that have the same step color, there is only one token in a place containing Head in 
its name. 

First, we encode the properties of tapes. For this, we introduce the shorthand notation 
Head(x), parametrized by a token variable x, expressing that the token represented by x 
encodes a cell that carries the head, i.e, the name of its place has Head as substring. 

Head(a;) = \J \J A_Head.q{x) 

q€QAeT 

The following II2 formula Tapes expresses that, for any tape j in an infinite computation, 
any cell i is represented by a unique token x (conditions (3.1) and (3.2)), and there is exactly 
one token z which represents the position of the head (conditions (3.3) and (3.4)). 

Tapes = V^, j. 3x. cell{x) = i A step{x) = j (3.1) 

A yx,y. {step{x) = step{y) A cell{x) = cell{y)) =^ x = y (3-2) 

A Vj. 3x. step{x) =j A Head(x) (3.3) 

A Vx, y. (Head(x) A Head(y)) ^ {step{x) 7^ stepiy)) (3.4) 

Second, we encode the initial configuration using the following BiT^i) formula: 

Init = \/x. {step{x) = Q Acell{x) > =^ B_NotHead.qQ{x) 

A 3x. step{x) = A cell{x) = A B_Head-qQ(x) 

Third, we encode the termination condition saying that, at some step, the computation 
reaches the final state: 

Acceptance = 3x. \^ A_Head-qf{x) 
AeT 
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Finally, we encode each transition, i.e., the condition defining when two successive 
configurations correspond to a valid transition in the machine. For this, we have to fix the 
token storing the head in the current configuration (x), the tokens at the left (xi) and at the 
right (xr) of the head in the current configuration, and the tokens in the next configuration 
having the same position than x, xi, and Xr {x', x'^, resp. x'^.). When this identification is 
done (see the left part of the implication), we have to decompose the global transition over 
all transitions (5 G A: 



Trans 



N/ic ^ X ^ ^ X f • X J X J X , 



( 

A 
A 
A 
A 
A 

V ^ 



\ 



Head(x) 

step{x) = stepixi) A step(x) = step{xr) 
-i(3y. cell{xi) < cell{y) < cell{x)) 
-i(3y. cell{x) < cell{y) < cell{xr)) 
-i(3y. step{x) < step{y) < step{x')) 
step{x') = step{x'i) A step{x') = step{x'^) 
cell{x) = cell{x') A cell{xi) = cell{x[) A cell{xr) = cell{x'^) j 

— ^ V(5eA '^^^^5(3^) 3;;, x', xj, x^) 

where Trans^ relates its parameters accordingly to transition b. For example, if the transi- 
tion b is of the form (gr, X, g', L) (the case of head moving at right is symmetrical), then 
we obtain the following Hi formula: 



A 



X_Head.q{x) A Y_NotHead.q'{x') 
/\^^^{A_NotHead.q{xi) =^ A_Head.q'{x'i)) 



( 



A Vy,y'. 



A 
A 
A 
A 



Same(y, y') 



I 



y ^ X Ky XI 
y' ^ x' f\y' ^ x'l 
step{y) = step{x) 
step{y') = step{x') 
cell{y) = cell{y') 

where the shorthand notation Same(y, y') stands for 

/\ A_NotHead.p{y) 4^ A_NotHead.p{y') 

and expresses that the two tokens y and y' carry the same letter. Then, the Trans formula 
is in B{T.i). 

The conjunction Tapes A Init A Trans A Acceptance is a 112 formula which is satisfiable 
iff there is an accepting run. This reduction shows the undecidability of satisfiability for 112 
fragment of CML(N2, {0}, {<}). □ 



4. Satisfiability problem: A Generic Decidability Result 

We prove in this section that the satisfiability problem for formulas in the fragment S2 
of CM L is decidable whenever this problem is decidable for the underlying color logic. 

Theorem 4.1. The satisfiability problem of the fragment S2 of CML(C^, $7, H), for any 
N >1, is decidable provided that the satisfiability problem o/FO(C, fi, S) is decidable. 
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Proof. The idea of the proof is to reduce the satisfiabiUty problem of E2 formulas to the 
satisfiability problem of Sq formulas. We proceed as follows: we prove first that the fragment 
E2 has the small model property, i.e., every satisfiablc formula if in E2 has a model of a 
bounded size (where the size is the number of tokens in each place). This bound corresponds 
actually to the number of existentially quantified token variables in the formula. Notice that 
this fact does not lead directly to an enumerative decision procedure for the satisfiability 
problem since the number of models of a bounded size is infinite in general (due to infinite 
color domains). Then we use the fact that over a finite model, the universal quantifications 
in if can be transformed into finite conjunctions in order to build a formula (p in Si which is 
satisfiable if and only if the original formula ip is satisfiable. Actually, (p defines precisely the 
upward-closure of the set of markings defined by (p (w.r.t. the inclusion ordering between 
sets of colored markings, extended to vectors of places). Finally we show that the Si 
formula p is satisfiable if and only if the Sq formula obtained by transforming existential 
quantification over tokens into existential quantification over colors is decidable. 

We define the size of a marking M to be the number of tokens x for which place m{x) ^ 
_L. A marking M' is said to be a sub- mar king of a marking M if all tokens in M' for which 
placeM{x) 7^ -L are mapped identically by M and M' . We also define the upward closure 
of a set of markings M. to be the set of all the markings that have a sub- marking in M. 

First, we show the following lemma: 

Lemma 4.2. Let p be aT,2 closed formula p = 3x . J~z . ^Ij ■ (p where Ic and 'y^ are token 
variables, ~z are color variables, and 4> is aTiQ formula. Then: 

(1) p has a model iff it has a model of size less than or equal to \x\. 

(2) The upward closure offpj w.r.t. the sub-marking ordering is effectively definable in Si. 
Proof. Point (1): (<^=) Immediate. 

(=>) Let M be a model of p. Then, there exists a vector of tokens t C N, a vector of colors 
7? C C, and two mappings 6 :1c i-^ t and u ■.~z ^~c such that M \=0^i, Vy^. ^. 

Given any universally quantified formula it is always the case that if it is satisfied by 
a marking then it is also satisfied by all its sub-markings (w.r.t inclusion ordering). In 
particular, we define M' to be the sub-marking of M that agrees only on tokens in t . 
Then, we have M' \=$^i, Vy^. (p, and therefore M' \= 3'x. 3i~z . Vy^. (p. Therefore, for the 
fragment S2, every satisfiable formula p = 3~x.3~z. Vy^- has a model of size less or equal 
than However this fact does not imply the decidability of the satisfiability problem 

since the color domain is infinite. 

Point (2): We show that for any formula p in S2 it exists a formula p such that any model 
M oi p has a sub- marking M' which is a model of p, i.e., the upper closure of the set of 

models of p is given by the set of models of p. 

Let Q be the set of all (partial or total) mappings a from elements of y to elements of 
~x . Then, we have that any model M of c/9 is also a model of 31?. 3^. c/^^^-* where 

^W=/\VV. ((( l\ y = a{y))^{ f\ [\ y ^ x)) ^ p) 

it€0 y(idom{a) y^dom{a) xdlt 

This means that there exists a vector of tokens t C N, a vector of colors "cf C C, and two 
mappings 9 : Ic t and v : ^ ~c such that M \=g^i, p^^^ . Consider now M' to be the 
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sub-marking of M that agrees only on tokens in t . Then, M \=0^u ^^^^ implies that: 

M' H,u A V y"- (( A 2^ = ^(y)) =^ 

dom{<T)= y 

which is equivalent to M' \= (p with: 

o-eO _^ 

dom{a)= y 

By definition of any of its minimal models is also a model of ip, and any of the models 
of ^p has a sub-model that is a model of (p. □ 

A direct consequence of the lemma above is that it is possible to reduce the satisfiability 
problem from S2 to Si. To prove the main theorem, we have to show that the satisfiability 
problem of Si can be reduced to one of Sq. Let us consider a Si formula (p = ^Ic . with 
in Sq. 

We do the following transformations: (1) we eliminate token equality by enumerating 
all the possible equivalence classes for equality between the finite number of variables in x , 
then (2) we eliminate formulas of the form p{x) by enumerating all the possible mappings 
from a token variable x to places in P, and (3) we replace terms of the form 5k {x) by fresh 
color variables. Let us describe more formally these three transformations. 

Step 1: Let ^("af) be the set of all possible equivalence classes (w.r.t. the equality relation) 
over elements oilc: an element e in B{^) is a mapping from to a vector of variables 
Ic^^^ C Ic that contains only one variable for each equivalence class. 

We define to be (f)\lc^^^ /~x \ where, after the substitution, each atomic formula that 
is a token equality is replaced by ^Hrue" if it is a trivial equality x = x and by ^^false" 
otherwise. Clearly ip is equivalent to 

V 3^(^). /\{xl'^y^xf)Acf>e 

Step 2: Similarly, we eliminate from the occurrences of formulas p[x). For a mapping 
a G \lc^'^'> — > P] and a variable x, a{x){x) is a formula saying that the variable x is in the 
place a{x). We use the notation a{^)(^) instead of /\^ a{xi){xi). Again, for each value of 
cr and e we define (/^e.a to be 4>e where each atomic sub-formula p{x) is replaced by ''''true''' 
if (j{x) = p and by ^^false" otherwise. 

Then, we obtain an equivalent formula p=^p: 

V 31?(^). A(4'^ 7^ 4^) A V ^^(^^'^)(^^'^) A <Pe,a 

where sub-formulas ^e,<T do not contain any atoms of the form x^f' = x^-^"* or 
ipe^a is not a Sq formula, because it contains terms of the form Sk{x). 
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Step 3: For each coloring symbol 5k and each token variable x G lc^^\ we define a color 
variable Sk,x- Let ~s^^^ be a vector containing all such color variables for each variable in 
~x^^\ Then the formula (p=^p is satisfiable iff the following Sq formula is satisfiable: 

\l Jsl. \l (l)eAsk,x/5k{x)]^<k<N,x€lt<^-) 

Therefore, the satisfiability problem of E2 can be reduced to satisfiability problem of 
So, which is decidable by hypothesis. □ 

Complexity: From the last part of the proof, it follows that the satisfiability problem of 
a Si formula can be reduced in NP time to the satisfiability problem of a formula in the 
color logic FO(C,ri,S). Indeed, in Step 1 an equivalence relation between the existentially 
quantified variables ~x is guessed and in Step 2 a place in P for the representative of each 
equivalence class is guessed, and given these guesses, a Sq formula of linear size (w.r.t. the 
size of the original Si) is built. 

From the first part of the proof, it follows that the reduction from the satisfiability 
problem of a S2 formula to the satisfiability of a Si formula is in general exponential. More 
precisely, if 93 = 31c . 3~z . y~y. is a S2 formula, then the cqui-satisfiable Si formula (p is 
of size 0(|l?|'^'|(y9|). Therefore, the reduction of a S2 formula to an equi-satisfiable formula 
in So is in NEXPTIME. 

If the number of universally quantified variables (i.e., \'y'\) is fixed, the reduction to an 
equi-satisfiable Si formula tp becomes polynomial in the number of existentially quantified 
variables (i.e., |^|). Then, in this case, the complexity of the reduction from S2 formulas 
to equi-satisfiable So formulas is in NP. 

5. Constrained Petri Nets 

We introduce hereafter models for networks of processes based on multiset rewriting 
systems with data. 

A Constrained Petri Net (CPN) over the logic CML(C^,Q,S) is a tuple S = (P,A) 
where P is a finite set of places used in CML, and A is a finite set of constrained transitions 
of the form: 

pl,...,Pn ^ qi,...,qm ■■ P (5.1) 
where pi, qj G P for alH G {1, . . . , n} and j G {1, . . . , m}, and ip is a. CML(C^, il, H) formula 
called the transition guard such that (1) FV{<p) = {xi, . . . , Xn} U {yi, . . . , ym}, and (2) all 
occurences of variables yj in (p, for any j G {1, . . . , m}, are in terms of the form Sk{yj), for 
some G {1, . . . , N} . 

Configurations of CPNs are colored markings. Intuitively, the application of a con- 
strained transition to a colored marking M (leading to a colored marking M') consists in 

(1) deleting tokens represented by the variables .Xj from the corresponding places pi, and in 

(2) creating tokens represented by variables yj in the places qj, provided that the formula 
tp is satisfied. The formula ip expresses constraints on the tokens in the marking M (espe- 
cially on the tokens which arc deleted) as well as constraints on the colors of created tokens 
(relating these colors with those of the tokens in M) . 

Formally, given a CPN 5, we define a transition relation — >5 between colored markings 
as follows: for every two colored markings M and M', we have M — >5 M' iff there exists a 
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constrained transition of the form (15. Ih . and there exist tokens ti, . . . , t„ and t'l, . . . ,t'^ s.t. 
yi,j G {1, . . . ,n}. i ^ j ^ ti ^ tj, and WiJ &{!,... ,m}. i j ^ t[ ^ t'-, and 

(1) Vi € {1, . . . ,n}. placeM{ti) = Pi and placeM'{ti) = -L, 

(2) Vi G {1, . . . placeM{t'i) = -L and placeM'{t[) = qi, 

(3) Vt G N, if Vi £ {l,...,n}.tj^ti and Vj G {1, . . . , m}. t / t^-, then M{t) = M'{t), 

i<k<N,i<j<mi where ^ G [T — > N] is a valuation of token 
variables such that Vi G {1, . . . , n}. 9{xi) = ti, and 1^0 is the empty domain valuation of 
color variables. 

Given a colored marking M let post5(M) = {M' : M —^s M'} be the set of aU 
immediate successors of M, and let preg{AI) = {M' : M' —5-5 M} be the set of all 
immediate predecessors of M. These definitions can be generalized straightforwardly to 
sets of markings. Given a set of colored markings A4, let preg{Ai) = pre5(A^), where (~) 
denotes complementation (w.r.t. the set of all colored markings). 

Given a fragment G of CML, we denote by CPN[0] the class of CPN where all transition 
guards are formulas in the fragment G. Due to the (un) decidability results of sections [3] 
andlU we focus in the sequel on the classes CPN[S2] and CPN [Si]. 

6. Modeling Power of CPN 

We show in this section how constrained Petri nets can be used to model (unbounded) 
dynamic networks of parallel processes. We assume that each process is defined by an 
extended automaton, i.e., a finite-control state machine supplied with variables and data 
structures ranging over potentially infinite domains (such as integer variables, reals, etc). 
Processes running in parallel can communicate and synchronize using various kinds of mech- 
anisms (rendez-vous, shared variables, locks, etc). Moreover, they can dynamically spawn 
new (copies of) processes in the network. 

More precisely, let Q be the finite set of control locations of the extended automata, 
and let I = {li, . . . , In) and ~g = ((71, ... , gc) be the sets of local respectively global vari- 
ables manipulated by these automata. Transitions between control locations are labeled by 
actions which combine (1) tests over the values of local/global variables, (2) assignments of 
local/global variables, (3) creation of a new process in a control location, (4) synchroniza- 
tion (e.g., CCS-like rendez-vous, locks, priorities, etc.). Tests over variables are first-order 
assertions based on a set of predicates H. Variables are assigned with expressions built from 
local and global variables using a set of operations 0,. 

Example 6.1. Reader- writer is a classical synchronization scheme used in operating sys- 
tems or other large scale systems. It allows processes to work (read and write) on shared 
data. Reader processes may read data in parallel but they are exclusive with writers. Writer 
processes can only work in exclusive mode with other processes. A reader-writer lock is used 
to implement such kind of synchronization for any number of readers and writers. For this, 
readers have to acquire the lock in read mode and writers in write mode. 

Let us consider the program proposed in [FFQ02| and using the reader-writer lock given 
in Table 16. li It consists of several Reader and Writer processes. The code of each process 
is given in Table 16.11 (To keep the example readable, we omit the processes spawning 
the readers and writers.) The program uses a global reader- writer lock variable 1 and a 
global variable x representing the shared data. Each Reader process has a local variable y. 
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process Writer : 
1: 1 . acq_wr ite ( _pid ) ; 
X = g(x); 

1 . r el_write ( _pid ) ; 



process Reader : 
1: 1 . acq_read ( _pid ) ; 
y = f(x); 
1 . rel_read ( _pid ) ; 







Table 1: Example of program using reader-writer lock. 
1 . acq_write (_pid) /^~~\ x:=g(x) N 1 . rel_write (_pid) 



x:=g(x) 

w2 ] -( w3 






rl 



1 . acq_read(_pid) 




r2 



y:=f (x) 




r3 



1 . reljread(_pid) 




r4 



Figure 1: Extended automata model for the program in Table \6A 



Moreover, each process has a unique identifier represented by the _pid local variable. Let 
us assume that x, y, and _pid are of integer type. Writer processes change the value of the 
global variable x after acquiring the lock in write mode. Reader processes are setting their 
local variable y to a value depending on x after acquiring the lock in read mode. 

Then, the extended automata model for the program in Table 16.11 is obtained by asso- 
ciating a control location to each line of the program and by labeling transitions between 
control locations with the statements of the program. The extended automata model is 
provided on Figure 16.11 

We show hereafter how to build a CPN model for a network of extended automata 
described above. The logic of markings used by the CPN model is defined by CML(C^, $7, H) 
where > 1 is the (maximal) number of local variables of each process. To each control 
location in Q and to each global variable in g is associated a unique place in P. Then, 
each running process is represented by a token, and in every marking, the place associated 
with the control location q € Q contains precisely the tokens representing processes which 
are at the control location q. The value of a local variable li of a process represented by 
token t is given by Si{t). For global variables which are scalar, the place associated in P (for 
convenience, we use the same name for the place and the global variable) contains a single 
token whose first color stores the current value of the global variable. Global variables 
representing parametric-size collections may also be modeled by a place storing for each 
element of the collection a token whose first color gives the value of the element. However, 
we cannot express in the decidable fragment E2 of CML the fact that a multiset indeed 
encodes an array of elements indexed by integers in some given interval. The reason is that, 
while we can express in IIi the fact that each token has a unique color in the interval, we 
need to use 112 formulas to say that for each color in the interval there exists a token with 
that color. Nevertheless, for the verification of safety properties and for checking invariants, 
it is not necessary to require the latter property. 

The set of constrained transitions of the CPN associated with the network are obtained 
using the following general rules: 
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Test: A process action q '^^ ^ ' ^ ^ > q' where is a FO(C, O, H) formula, is modeled by: 

G+l 

q,9i,---,9G ^ q',gi,---,gG ■ ^ /\ ^id{i) 

1=1 

where r? is the substitution [5k{xi)llk]\<k<N[h{xk+i)/9k]i<k<G, and 

TV 

'fid{i) = l\ SjiVi) = 8i{xi) 

Assignment: A process action q ^ ^ ' ^ ^' — * ^ ^ ' ^ ^ > q' where f is a vector of iV + G Q-terms, 
is modeled by: 

N G 

q,9i,---,9G ^ q',9i,---,9G ■ /\Si{yi) =tiri A f\ 6i{yj+i) = tN+jV 

i=i j=i 

where r] is the substitution defined in the previous case. 

In the modeling above, we consider that the execution of the process action is atomic. 
When tests and assignments are not atomic, we must transform each of them into a sequence 
of atomic operations: read first the global variables and assign their values to local variables, 
compute locally the new values to be assigned/tested, and finally, assign/test these values. 

Process creation: An action spawning a new process q ^P^'""fao) , g' jg modeled using a tran- 
sition which creates a new token in the initial control location qo of the new process: 

q ^ q', qo ■ a (po 

where ipQ is /\^^ ^i{y2) = null with null the general initial value for local variables. 

Moreover, it is possible to associate with each newly created process an identity classi- 
cally defined by a positive integer number. For that, let us consider that the first color Si 
gives the identity of the process represented by the token. To ensure that different processes 
have different identities, we express in the guard of every transition which creates a process 
the fact that the identity of this process does not exist already among tokens in places 
corresponding to control locations. This can easily be done using a universally quantified 
(Hi) formula. Therefore, a spawn action q ^p^'""(^°) > g' jg modeled by: 

q ^ q', qo ■ fidC^) a ip'o 

where 

N 

f'o = A ^'(y^'^ = "^^^ ^ /\ytet -(<5i(y2) = Si{t)) 

The modeling of other actions (such as local/global variables assignment/test) can be mod- 
ified accordingly in order to propagate the process identity through the transition. Notice 
that process identities are different from token values. Indeed, in some cases (e.g., for mod- 
eling value passing as described further in this section), we may use different tokens (at 
some special places representing buffers for instance) having the same identity 5i . 
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ri : 


rl ^ 


r2, r 


r2 : 


r2, X ^ 




rs : 


r3, r ^ 


^ r4 



w;i : wl,w ^ w2,w : -i(3z € r. true) A 52(iC2) < A (52(^2) = '5i(xi)A 

<^i(y2) = 5i(a;2) A 

W2 : ti;2,j; ?i;3,x : ^2(^2) = 5'(^2(2;2)) A (5i(y2) = 5i(a:2) A 99^^(1) 

^3 : w3,w ^ w4:,w : 52(x2) = A 52(^2) = -1 A 5i(y2) = '5i(2;2) A 99^^(1) 

(Vz G tx;. 52(2) < 0) A 5i{y2) = 5i{xi) A (^id(l) 
<52(yi) = /('^2(a:2)) A <5i(xi) = <5i(yi) A (^^^(2) 
5i{xi) = 5i{x2) A 99id(l) 

Table 2: CPN model of reader-writer lock. 

Synchronization using locks: Locks can be simply modeled using global variables storing 
the identity of the owner process, or a special value (e.g. —1) if it is free. A process who 
acquires the lock must check if it is free, and then write his identity: 

q, lock ^ q' , lock : 6i{x2) = —I /\ 6i{y2) = di{xi) A ... 

To release the lock, a process assigns —1 to the lock, which can be modeled in a similar way. 
Other kinds of locks, such as reader-writer locks, can also be modeled in our framework as 
we show in the following example. 

Example 6.2. Let us consider the extended automaton using the reader-writer lock given 
on Figure EH For each of its states we introduce a place (e.g., place r3 for state r3). For 
the scalar global variable x, we create a place x containing a single token. 

The global variable representing the reader-writer lock is modeled following the classical 
implementation [AriOSj which uses two variables: 

• a global integer w to store the identifier of the process holding the lock in write mode or 
— 1 if no such process exists (process identifiers are supposed to be positive integers), and 

• a global set of integers r to represent the processes holding the lock in read mode. 
Acquire (acq_read, acq_write) and release ( reLread , reLwrite ) operations are accessing 
variables w and r atomically. Then, we introduce a place w (containing a single token) 
for the scalar global variable w. For the global set variable r we introduce a place which 
contains a token for each Reader process owning the lock. By consequence, we need two 
colors for each token in the system: 5i to store the identity of processes and 62 to store the 
local variable y for tokens representing Reader processes and the value of global variables 
w and x for tokens in places w resp. x. 

Therefore, the CPN model obtained is defined over the logic CML(N^, {0, f,g}, {<}), its 
set of places is P = {rl,r2,r3,r4:,wl,w2,'w3,w4:,r,w,x}, and its transition set A is given 
in Table [6^21 This model belongs to the class CPN [Hi]. 



Value passing, return values: Processes may pass/wait for values to/from other processes 
with specific identities. They can use for that shared arrays of data indexed by process 
identities. Such an array A can be modeled in our framework using a special place containing 
for each process a token. Initially, this place is empty, and whenever a new process is 
created, a token with the same identity is added to this place. Then, to model that a 
process reads/writes on A[k], we use a transition which takes from the place associated 
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with A the token with color 6i equal to i, reads/modifies the value attached with this 
token, and puts the token again in the same place. For instance, an assignment action 

q > q' executed by some process is modeled by the transition: 

q,A^q',A : Si{x2) = k A 52(2/2) = e A 5i{y2) = Si{x2) A (^jd(l) 

Rendez-vous synchronization: Synchronization between a finite number of processes can be 
modeled as in Petri nets. CPNs allow in addition to put constraints on the colors (data) of 
the involved processes. 

Priorities: Various notion of priorities, such as priorities between different classes of pro- 
cesses (defined by properties of their colors), or priorities between difi^erent actions, can be 
modeled in CPNs. This can be done by imposing in transition guards that transitions (per- 
formed by processes or corresponding to actions) of higher priority are not enabled. These 
constraints can be expressed using Hi formulas. In particular, checking that a place p is 
empty can be expressed by Vx. ^p{x). (Which shows that, as soon as universally quantified 
formulas are allowed in guards, our models are as powerful as Turing machines, even for 
color logics over finite domains.) 

7. Computing Post and Pre Images 

We address in this section the problem of characterizing in CML the immediate succes- 
sors/predecessors of CML definable sets of colored markings. 

Theorem 7.1. Let S be a CPN[S„], for n G {1,2}. Then, for every CML closed formula 
(f in the fragment the sets post^dy?]) and pre_5(|(/?]) are effectively definable by CML 
formulas in the same fragment E„. 

Proof. Let 92 be a closed formula, and let r be a transition 'p' ^ ~q : oi the system 
S. W.l.o.g., we suppose that ip and ip are in special form (see definition in Section r2.3.3p . 
Moreover, we suppose that variables in "x and if introduced by r have fresh names, i.e., 
different from those of variables quantified in (p and ip. We define hereafter the formulas 
Vpost = post^dv?]) and ippre = pre^d^?]) for this single transition. The generalization to the 
set of all transitions is straightforward. 

The construction of the formulas i/Jpost and (/?pre is not trivial because our logic does not 
allow to use quantification over places and color mappings in [N — >■ C]. Intuitively, the idea 
is to express first the effect of deleting/adding tokens, and then composing these operations 
to compute the effect of a transition. 

Let us introduce two transformations and corresponding to deletion and creation 
of tokens. These operations are inductively defined on the structure of special form formulas 
in Tables El and H 

The operation is parameterized by a vector ^ of token variables to be deleted, 
a mapping loc associating with token variables in z the places from which they will 
be deleted, and a mapping col associating with each token variable in z and eack k G 
{1, . . . ,N} a fresh color variable in C. Intuitively, projects a formula on all variables 
in ~z. Rule 02 substitutes in a color formula r{ t ) all occurences of colored tokens in ^ 
by fresh color variables given by the mapping col. A formula x = y is unchanged by the 
application of if the token variables x and y are not in z ; otherwise, rule 03 replaces 
X = y hy ^^true" if it is trivially true (i.e., we have the same variable in both sides of the 
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01 : irae loc, col) 

02: r(T) (^",100,001) 

03: = y) (^,loc,col) 



true 



04 

05 
06 



loc, col) 
{(fi V (f2) loc, col) 
{3x & p. if) Q {~z, loc, col) 



r( t )[col{z){k)/6k{z)]i<^k<N,ze^ 

ii X = y 

otherwise 



x = y 
true 
false 

-^{ip loc, col)) 

{ifi (^, loc, col)) V {ip2 Cz, loc, col)) 
3x & p. {(p Q (^, loc, col))V 

\/ze-7:ioc{z)=pi'P[^/^]) © loc, col) 



Table 3: Definition of the operator. 



1 : 


true d 




loc) 


= true 


2 : 


r{t)^ 




loc) 


= r{t) 










( x = y 


3 : 


{x = y)e 




loc) 


= < true 










y false 


4 : 


(-<^)^ 




loc) 




5 : 






loc) 


= (^1 e {~z, 


6 : 


(3x ep. (p)(i 




loc) 


= 3a; G p. ((/? 



if x,y 
if X = y 
otherwise 



( l',loc)) 



Table 4: Definition of the © operator. 



equality) or by "false" if x (or y) is in Indeed, each token variable in ~z' represents (by the 
semantics of CPN) a different token, and since this token is deleted by the transition rule, it 
cannot appear in the reached configuration. Rules 04 and 05 are straightforward. Finally, 
rule 06 does a case splitting according to the fact whether a deleted token is precisely the 
one referenced by the existential token quantification or not. 

The operation is parameterized by a vector z of token variables to be added and a 
mapping loc associating with each variable in z the place in which it will be added. Intu- 
itively, © transforms a formula taking into account that the tokens added by the transition 
were not present in the previous configuration (and therefore not constrained by the origi- 
nal formula describing the configuration before the transition). Then, the application of © 
has no effect on color formulas r(t) (rule ©2). When equality of tokens is tested, rule ©3 
takes into account that all added tokens are distinct and different from the existing tokens. 
For token quantification, rule ©e says that quantified tokens of the previous configuration 
cannot be equal to the added tokens. 

Therefore, we define v^post^ to be the formula: 

3'y G 'q. 3'c. {{ip A V) © (^, ^ ^, ^ [1, N] ^ ~c))) © (V, V ~q) (7.1) 

In the formula above, we first delete the tokens corresponding to Ic from the current 
configuration (p intersected with the guard of the rule tp. Then, we add tokens corresponding 
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to Finally, we close the formula by quantifying existentially (1) the color variables ~c 
corresponding to colors of deleted tokens x and (2) the token variables y corresponding 
to the added tokens. 

Similarly, we define v'pre^ to be the formula: 

31? G p^. 37?. © (1?, 'x 1-^ p^)) A V') © ("y^, V "y^ ^ [Ij ^] ^ "c^)) (7.2) 

In the formula above, we first add to the current configuration the tokens represented by 
the left hand side of the rule 'x in order to obtain a configuration on which the guard ■0 can 
be applied. Then, we remove the tokens added by the rule using token variables 'y . Finally, 
we close the formula by quantifying existentially (1) the color variables ~c corresponding 
to colors of removed tokens 'y and (2) the token variables 'x corresponding to the added 
tokens. It is easy to see that if Lp and ■0 are in the S„ fragment, for any n > 1, then both 
of the formulas <^post^ and '-P^re^ are also in the same fragment S„. □ 

Complexity: Let be a S2 formula, and let r = ^ 'g' : ^/^ be a transition of a system 
S G CPN[S2]. Then the sizes of formulas post^((^) and pre^(99) are in general exponential 
in the number of quantifiers in (p f\ip. More precisely, the size of the post (resp. pre) image 
of is 0(1 7> I") (resp. 0{\~q\^)) times greater than the size of the formula A ijj, where 
n is the number of quantifiers in (/? A V'- This exponential blow-up is due to the rule Qq in 
Table m If the number of the quantified variables in (^A^' is fixed, then the size of post^((^) 
(resp. pre^((^)), increases polynomially w.r.t. the size of the formula ip Aip. 

Example 7.2. To illustrate the construction given in the proof above, we consider the 
logic CML(N, {0},{<}) and the CPN S = (P, A) with F = {p,q,r} and A containing the 
following transition: 

r : p^q : 5i{xi) > A ^{3t G q. 6i{t) = 6i{yi)) 

Intuitively, this transition moves a token with positive color from place p to place q and 
assigns to its color a value non-deterministically chosen in N but different from all colors of 
tokens in place q. 

We illustrate the computation of post-image of r on two formulas in special form ipi = 
(3x G r. true) and (p2 = (Vx,y & p. x = y). Intuitively, ipi says that the place r contains at 
least a token, and (p2 says that any two tokens in place p are equal, i.e., place p contains at 
most one token. Since ipi is not speaking about places involved in the transition r (i.e., p 
and q), we expect to obtain a stable post-image by r, i.e., V7i,post^ =^ ^i- Conversely, ip2 
speaks about a place changed by r, so its image cannot be stable. In the remainder of this 
example we give the details of the construction of the post-images by r for ipi and ip2- 

By applying the equation 17.11 to ipi we obtain: 

V5i,post, = 3yi G g. 3ci,a;i. {(fi A 5i{xi) > A ^{3t e q. 6i{t) = di{yi)) 

) ({2;i}, {Xl ^ p}, {Xi 1-^ 1 1-^ Ci,a:J) 

©({2/i},{yi ^q}) 

In the following, we denote by 1 oCxi-j co^xi-i cind. loCy-[^ the mappings {xi i — > {^i ' — ^ 1 ' — ^ 
ci,^i}, resp. {yi ^ q}. 

First, we compute the effect of applying the G operation on ipi and the guard of r using 
the rules given in Table El By applying several times rules ©4 and ©5 to distribute © over 
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A and we obtain: 

Q ({a:;i},loCa;^,col^J 

A iSi{xi) > 0) e ({xi}, loc^^,col^^) 

A ^{{3t G q. 5i{t) = 6i{yi)) Q ({xi}, loc^,, col^J) 

By applying rule Qq two times, Q2 one time, and by replacing the empty disjunction by 
false, we obtain: 

(3x G r. true Q {{xi}, locx^, col^^^) V false) 
A (ci,^., > 0) 

A -^{3t G q. {6i{t) = 6i{yi)) 6 ({xi}, loc^^ , col^J V /afce) 
Rules 01 and 02 are applied to obtain the final result: 

(3x G r. true) 
A (ci,^, > 0) 

A -^{3t £ q. 6i{t) = 6i{yi)) 

On the above formula is applied the © transformation using the rules given in Table [H 
By applying several times rules ©4 and ©5 to distribute © over A and we obtain: 

{3x G r. true) © ({j/i},loCyJ 

A (ci,^, > 0) © ({yi},loCj,J 

A ^{i3t G q. 5i{t) = 6i{yi)) © {{yi},loCy,)) 

By applying two times rules ©e and ©2, and by replacing empty conjunctions by true we 
obtain: 

{3x G r. true © ({yi}, loCj^J A true) 
A (ci,^, > 0) 

A -(3iGg. (<5i(i) = (5i(yi))©({yi},locyJ A -(t = yi)) 
Rules ©1 and ©2 are applied to obtain the final result: 

{3x G r. true) 
A (ci,^, > 0) 

A ^{3t e q. 5iit) = 6i{yi) A -(t = yi)) 
Therefore, the immediate successors of ipi by r are given by the following CML formula: 

¥'l,post^ 

= 3yi G q. 3ci,a;i. (3x G r. irae) A (ci,:,;i > 0) A ^(3t G q. 6i{t) = 6i{yi) A -^{t = yi)) 
= {3x G r. true) A {3yi G g. 3ci,^.i. (ci,xi > 0) A ^(3t G q. 5i{t) = 6i{yi) A ^{t = yi))) 

where the last equality has been obtained by applying classical rules for quantifiers. It is 
easy now to see that (/3i,post^ =^ ^i- 

Now, we consider and we apply the equation 17.11 to obtain: 

952,post, = 3yi G 3ci,a;i. (<^2 A > A -.(3t G g'. = (^i(yi)) 

) Q ({xi},l0Cj,j,C0l^j) 

ffi ({yi},loCyJ 
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We only detail the effect of © and operators on ip2 since the computation for the conjunct 
representing the guard of r is the same as for ipi. 

In order to apply on (^2j we use the equivalent form of ip2, i.e., -i(3x G p. 3y G 
p. -^{x = y)). Then, the effect of the operation on is obtained by applying two times 
the rules 04 and 06 as follows: 

</'2 e ({xi}, loc^,^, cola;J = -.((3xGp. (3y G p. -.(x = y) ({xi},loc^j,cola;J) 

V-.(a; = xi) ({xi}, loc^-^, col^J ) 

V (3y G p. -.(xi = y)) ({xi}, loc^j, coli.J) 

By applying several times rules 03, 04, and 06 we obtain: 

^2 Q ({xi},l0Ca;j,C0l^J 

= -i( (3x G p. By G p. -'(x = 2/) V -'{false) ) 

V (By G p. -■(xi = y) ({xi},loc^i, col^.J V -.(xi = xi) ({xi}, loc^j, colx.i))) 

= -i( (3x G p. 3y G p. true) 

V (3y G p. -^ifalse) V ^(irite))) 

= -i(3x £ p. 3y £ p. true) A -'(3y G p. true) 
= (Vx, y £ p. false) A (Vy G p. false) 
= (Vx G p. false) 

The last equivalence above is obtained from the classical properties of quantifiers. The 
final result is the one expected intuitively: the effect of removing the token xi in p from a 
configuration where there is at most one token in p (see meaning of ip2) is a configuration 
with no token in p. 

It is easy to show that the effect of 0({yi}, locy^) on the last formula above is null. 
Therefore, the immediate successors of ip2 by r are given by the following CML formula: 

'/'2,post^ 

= 3yi G q. 3ci,^,. (Vx G p. false) A {d^^, > 0) A^{3t G q. 5i{t) = Si{yi) A ^{t = y)) 

= (Vx G p. false) A (3yi G q. 3ci,^,. (ci,^, > 0) A ^(3t G q. 5i{t) = di{yi) A ^{t = y))) 

More complex examples of post-image computations for the reader-writer lock example 
are provided in Section 19. li 

8. Applications in Verification 

We show in this section how to use the results of the previous section to perform various 
kinds of analysis. Let us fix for the rest of the section a first order logic FO(C, Q, H) with a 
decidable satisfiability problem and a CPN S. 

8.1. Pre-post condition reasoning. Given a transition r in 5" and given two formulas if 
and (f' , {(f, T, If') is a Hoare triple if whenever the condition ip holds, the condition (p' holds 
after the execution of r. In other words, we must have post^(|(^]) C fip'J, or equivalently that 
post^(|(/?]) n [-'V''] = 0. Then, by Theorem 17.11 and Theorem 14. II we deduce the following: 

Theorem 8.1. If S is a CPN[S2], then the problem whether {(p,T,(p') is a Hoare triple is 
decidable for every transition r of S, every formula ip G T,2, and every formula G 112. 
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8.2. Bounded reachability analysis. An instance of the bounded reachability analy- 
sis problem is a triple (Init, Target, k) where Init and Target are two sets of configu- 
rations, and /c is a positive integer. The problem consists in deciding whether there ex- 
ists a computation of length at most k which starts from some configuration in Init and 
reaches a configuration in Target. In other words, the problem consists in deciding whether 
Target fl Uo<j<fc post^(/nit) / 0, or equivalently whether Init n Uo<j<fc 9't^^s^Target) ^ 0. 
The following result is a direct consequence of Theorem 17.11 and Theorem 14.11 

Theorem 8.2. If S is a CPN[S2], then, for every A; € N, and for every two formulas 
ipi,(pT G 5^2, the bounded reachability problem {{(fi}, lfT},k) is decidable. 

8.3. Checking invariance properties. Invariance checking consists in deciding whether 
a given property (1) is satisfied by the set of initial configurations, and (2) is stable under 
the transition relation of a system. 

Formally, given a CPN S" with transitions in A and a closed formula (pmit defining the 
set of initial configurations, we say that a closed formula ip is an inductive invariant of 
{A,ipinit) if and only if (1) {ipinitj ^ M> and (2) post^([(^|) C yj for any r G A. Clearly, 
(1) is equivalent to [v^iniil n l^(p} = 0, and (2) is equivalent to post^(|(/5]) n l^^p} = 0. By 
Theorem 17.11 and Theorem 14. 11 we have: 

Theorem 8.3. The problem whether a formula ip E ^(^^i) is an inductive invariant of 
(A,ipinit), where A S CPN[S2] and ipinit £ ^2 is decidable. 

The deductive approach for establishing an invariance property considers the inductive 
invariance checking problem given by a triple {(pinit, finv, Vaux) of closed formulas expressing 
sets of configurations, and which consists in deciding whether (1) Jv^im*] ^ [Vauxl, (2) 
[Vauxl ^ and (3) ipaux is an inductive invariant. The following result is a direct 

consequence of Theorem 17. 1^ Theorem 14. 1^ and of the previous theorem. 

Theorem 8.4. If S is a CPN[S2], then the inductive invariance checking problem is decid- 
able for every instance i(pinit,^inv,'Paux) where cpinit G ^2, and ipinv,^aux G -B(Si) are all 
closed formulas. 

Of course, the difficult part in applying the deductive approach is to find useful auxiliary 
inductive invariants. One approach to tackle this problem is to try to compute the largest 
inductive invariant included in ipmv which is the set nfc>o P^^si^inv)- Therefore, a method 
to derive auxiliary inductive invariants is to try iteratively the sets (pinv, ^inv H pfeg{ipinv), 
ipinv n pf&g{ipinv) n pre|((/?m^), ctc. In many practical cases, only few strengthening steps 
are needed to find an inductive invariant. (Indeed, the user is able in general to provide 
accurate invariant assertions for each control point of his system.) The result below implies 
that the steps of this iterative strengthening method can be automatized when CPN[Si] 
models and Hi invariants are considered. 

Theorem 8.5. //S' is a CPN [Si], then for every closed formula ip m Hi and every positive 
integer k, it is possible to construct a formula in Hi defining the set no<j<fc P'^Mlv'l)- 

The theorem above is a consequence of the fact that, by Theorem 17.11 for every S in 
CPN[Si] and for every formula (/p in Hi, it is possible to construct a formula ippf^ also in Hi 
such that {ip^^j = pre^d^jl). 
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Complexity: Let t = ^ ^ ~q : t(j he a transition of a system S € CPN[S2], and let ip be 
a B(Y^i) formula. The satisfiability of post^{ip) A can be reduced in nondeterministic 
doubly-exponential time to the satisfiability problem of the color logic. This is due to the 
fact that (1) the reduction to the satisfiability problem of the color logic is in nondetermin- 
istic exponential time w.r.t. the maximal number of universally quantified variables in the 
formulas -199 and po5t^{<p), and that (2) the number of universally quantified variables in 
post^((/9) is exponential in the number of universally quantified variables in (/? A V'- 

Now, for fixed sizes of "p^ and ~q, and for a fixed number of the quantified variables in 
'pf\ip, the reduction to the satisfiability problem of the color logic is in NP. Such assumptions 
are in fact quite realistic in practice (as shown in the following section for different examples 
of parameterized systems). Indeed, in models of parametrized systems (see Section [6]), 
communication involves only few processes (usually at most two). This justifies the bound 
on the sizes of left and right hand sides of the transition rules. Moreover, invariants are 
usually expressible using a small number of process indices (for instance mutual exclusion 
needs two indices) and relates only few of their local variables. 

9. Case Studies and Experimental Results 

We illustrate the use of our framework on several examples of parameterized systems. 
First, we consider the parameterized version of the Reader- Writer lock example provided 
in |FFQ02] . We give for this case study the inductive invariant allowing to prove a suitable 
safety property, and we show significant parts of its proof. 

Then, we describe briefly a prototype tool for checking invariance properties based 
on our framework, and we give the experimental results obtained on several examples of 
parameterized mutual exclusion protocols and on the Reader- Writer lock case study. 

9.1. Verification of the Reader- Writer Lock. A safety property of our example is "for 
all Reader processes at control location 3, the local variable y has the same value, equal to 
f(x)", whose specification in CML is the following Hi formula: 

i?F = Va E r3,t G x. ^2(0) = f{6i{t)) 

Of course, this property is true only if all Reader and Writer processes respect the procedure 
of acquiring the lock, i.e., there are no other processes in the system which are accessing 
the global variable x. Therefore, a correct initial configuration of the CPN model given 
on Table 16.21 has no token in places r2, r3, w2, and u;3, and only one token in place x. 
Moreover, all process identities stored in color 5i are positive. We suppose that the lock is 
free initially, i.e., the place r is empty and the place w contains a unique token with negative 
82 color. Then, a correct initial configuration of the system is given by the following Init 
formula in BiTii): 

Init = Gx A Ids A Initiock A (^t. ^{r2{t) V r3(t) V w2{t) V w3{t))^ 

where 

= {3t G X. true) A (Vt, t' e x. t = t') 
expresses that the place x contains a unique token, 

Ids =\/t. 6i{t) > 
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expresses that all tokens have a positive color 6i (representing their identity), and 

Initiock = S w. 62{u) < 0) A (Vn, u' £ w. u = u') A (Vt G r. false) 

specifies the initial state of the lock: there is only one token in place w and its color 82 is 
negative, and the place r is empty. 

The premises of Theorem 18.41 are fulfilled since the model proposed on Table 16.21 is in 
CPNpi], and Init and RF are both in BiTii). It follows that we have to find an inductive 
invariant ^Paux G -^(^1) such that Init =^ ^aux and ipaux =^ RF. We consider the 
following -B(Ei) formula as candidate for ipaux'- 

Aux = A Ids A RW^ A RW,. A RF 
where Gx, Ids and RF are defined above and 

RWw = (3m G w. true) A (Vn, u' £w.u = u') A ((3t. w2{t) V w'i{t)) <^ {3u G w. 52{u) > 0)) 

specifies that the place w contains only one token which color 62 is positive when a writer 
process is accessing the global variable (because 82 stores the identity of the writer) , and 

RWr = (3u. r2{v) V r3(v)) 44> {3i G r. true) 

expresses that the place r must contain a token when a reader process is accessing the global 
variable (i.e., it is at locations r2 or r3). 

Therefore, to check the safety property RF we have to show that: (1) Init =^ Aux, 
(2) for any transition r in the system, po5t^{Aux) =^ Aux, and (3) Aux =^ RF. We let 
the point (1) as an exercise. The point (3) follows trivially from the definition of Aux. In 
the following, we detail the proof of the point (2) for one transition of the system, namely 
wi, that we recall hereafter for readability: 

wi : wl,w ^ w2,w : -^(3z G r. true) A 52{x2) < A 52{y2) = Si{xi) A 

Si{y2) = h{x2) A ipidil) 

Using equation I7.H we obtain that the post-image of Aux by the transition wi has the 
following form: 

AuXpost^^ 

= 3yi G w2. 3y2 G w. ^ci^^i , C2,xi , ci,x2 , C2,X2 ■ 
( {Aux A -i(3z G r. true) A 

S2{X2) < A ^2(^2) = Siixi) A 6i{y2) = di{x2) A ipid{l) 
) e (^,loc--,col^) 

) e(^,loc-) 

where 'x = {xi,X2), loc^ = [xi 1-^ u!l,X2 ^ w], col^ = [xi t-^ k Ck,Xi]i<i<2,i<k<2, 
'y = (yi,y2), and locy = [yi ^ w2,y2 ^ w]. 

Before applying operators and ©, let us observe that Aux^s closed sub-formulas Gx, 
RWr, RF, and ^{3z G r. true) concern places which are not involved in the transition wi. 
It can be shown that (and Example 17.21 gives an illustration of this fact) these sub-formulas 
are not changed by the application of and © operators. Therefore, we have to apply these 
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operators only on the rest of sub-formulas of Aux and on the guard of wi, i.e.: 
= GxA RWr ARF A -.(32; G r. true) A 

( (Ws A RWyjA 

52{x2) < A (52(^2) = Si{xi) A (5i(y2) = Si{x2) A ipid{l) 

) e (^,ioc^,coi^) 
) e(^,ioc^) 

By distributing the operator over A (rules 04 and 05), and by applying three times the 
rule ©2, we obtain: 

AuXpost^_^ 

= G^A RWr ARF A ^(3z G r. true) A 

3i/i G W2. 3t/2 e W. ^Ci^xi,C2,xi,Cl,x2,C2,x2- 

( {Ids ("x , loc^, col-^) A RWw ("x , loc-^, col^)A 

C2,X2 < '^2(^2) = Ci^xi ^ ^l{y2) = Cl,x2 ^ ^id{^) © C^> lOC^, COl^) 

) ©(^,loc-) 

The application of on the Ids sub-formula uses the rules 04 and ©g and has as effect the 
introduction of constraints on the ci^xi and C2^xi color variables: 

Idsei^,loc^,col^) = (Vt. (5i(t) >O)0(^,loc^,col-) 

= Ids A ci^xi ^ A ci^x2 ^ 

The result of applying on the RWy^ sub-formula is (sometimes we omit the arguments of 
© for legibility): 

RWyj © Cx, loc-^, col-^) 

= ( {3u G u;. true) A 

{\/u, u' ^ w. u = u')A 

i{3t. w2{t) V w?,{t)) ^ (3u G w. 52{u) > 0))) © {'x, loc^, col^) 
= (3^ G w. true) © (Jx, loc-^, col-^) A 

(Vu, u' £ w. u = u') © {Ic, loc-^, col-^) A 

((3t. w2{t) V wS{t)) 4» (3-^ G w. d2{u) > 0)) © {Ic, loc^, col^) 
= ((3u G li;. true) V true) A 

(Vn G lu. (Vu' ew. {u = u')G) A{u = X2)©) A (Vn' G lu. (x2 = u')Q) A {x2 = X2) Q A 

{{3t. w2{t) V w3{t)) ^ {3u G w. 52{u) > V £2,0:2 > 0)) 
= true A 

(Vti G (Vn' G M = n') A false) A (\/u' G . false) A true A 
{{3t. w2{t) V w3{t)) ^ {3u G w. 62{u) > V C2,a;2 > 0)) 
After some trivial simplification, we obtain: 

RWu) Q {Ic ,loc^, col^) = (iu G w. false) A 

{{3t. w2{t) V w3{t)) <^ {3u G w. 62{u) > V 02,^2 > 0)) 
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As expected, the first conjunct of the result obtained above says that after the deletion of 
the X2 token in w, there is no more token in w. 

The result of applying on the v^id(l) sub-formula is: 

9^*^(1) e {'x, loc^, col^) = {5i{xi) = 5i{yi) A 52{xi) = 52{yi)) Q loc^, col^) 

= <5i(yi) = ci^xi A 62{yi) = C2,xi 

Therefore, after applying the operator we obtain: 

= Gr, A RWr ARF A ^{3z € r. true) A 

3yi G W2. 3y2 G W. 3ci^a:i,C2,xi,Cl,x2^C2,x2- 

( {Ids A ci^xi > A Ci^x2 > A (Vu G w. false) A 
{{3t. w2{t) V w3{t))'^ {3u G w. 62iu) > V C2,X2 > 0))A 

C2,X2 < A ^2(^2) = Ci^xi A di{y2) = Ci^x2 A 5l(yi) = Ci^^.^ A 52{yi) = C2,xi 

) ©(^,loc-) 

The operation transforms all sub-formulas containing quantifiers. Indeed, after dis- 
tributing over conjunctions (rules 04 and 05) and after applying several times rules 02 
and 06, we obtain: 

AUX post^^ 

= GxA RWr ARF A -^{3z G r. true) A 

3yi G If 2. 3y2 G w. 3ci^xj_,C2,xi,ci,x2,C2,x2- 

( (Vt. 6i{t) > V (t = yi) V (t = y2)) A ci,^, > A ci,^^ > OA 
(Vu G w. false V u = y2)A 

{{3t. {w2{t) y w3it)) A{t^ yi))^{{3u G w. 52iu) > A (u / 2/2)) V 02,^2 > 0))a 

C2,x-2 < A 52(2/2) = Cl,a;i A 5l(y2) = Cl,a;2 A 5l(2/l) = Ci^^^ A ^2(2/1) = C2,xi 

) 

We can now apply the decision procedure defined in Section H] to prove that AuXpost^_^ =^ 
Aux, i.e., AuXpost^_^ A^Aux is unsatisfiable. Instead of doing this proof, we give some hints 
about the validity of this implication. First, we remark that by projecting color variables 
ci^xi and ci^x2 the Ids sub-formula of Aux is implied by the sub-formula (Vt. 5i{t) > OV (t = 
2/1) V (t = 2/2)) and the constraints on 5i{yi) and 6i{y2)- 

Aux post^^ 

= GxA RWr ARF A -^{3z G r. true) A 
3yi G w2. 3y2 G w. 3c2,xi, C2,X2- 

( (yt. 6i{t) > V (t = 2/1) V (i = 2/2)) A 6i{yi) > A ^1(2/2) > OA 
(yu G w. u = 2/2)A 

( <^ i{3u G w. 62{u) > A (n / 2/2)) V 02,^2 > 0)) A 

C2,X2 < A 52(2/2) > A (^2(2/1) = C2,a;i 

) 

Second, RWw sub-formula of Aux is implied by the sub- formula 3yi G W2- 3y2 w. ... (Vu G 
w. u = 2/2) A ••• A ^2(2/2) > 0.... Finally, in the context of conjuncts €2^x2 < and 
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Algorithm 


Nb. rules 


Inv. size 


SMT Lemmas 


Time (sec.) 


Burns [BL80] 


9 


6 


92 


0.81 


Ticket 


3 


9 


28 


26.23 


Bakerv [Lam74j 


3 


5 


10 


0.15 


Dijkstra Dij65| 


11 


9 


1177 


18390.97 


Martin |Mar86j 


8 


7 


837 


980.97 


Szymanski fSzySSj 


9 


12 


293 


1065.1 


Reader-writer lock |FFQ02 


6 


9 


70 


2195.68 



Table 5: Experimental results. 



(Vti w . u = 1/2) , the left member of the equivalence: 

{{3t. {w2{t) V w3{t)) A (t / yi)) ^ {{3u G w. 52{u) > A / ya)) V C2,^, > 0)) 

is false, so we can replace it by -i(3t. {'w2{t)\/ w3{t)) A {t ^ yi)) which expresses, as expected, 
that only one writer (here yi) can be present at the location w2. 

9.2. Experimental results. We have implemented the algorithms for the decision proce- 
dure of CML, the post and pre-image computations, and the inductive invariant checking. 

Our prototype tool, implemented in Ocaml, takes as input an invariant (pinv in B{T,i) 
which is a conjunction of local invariants written in special form (see definition in Sec- 
tion [233]) • Indeed, the invariants are usually conjunctions of formulas, each of them being 
an assertion which must hold when the control is at some particular location. Then, it de- 
composes the inductive invariant checking problem (i.e., post{ipinv) A -^(finv is unsatisfiable) 
in several lemmas, one lemma for each transition of the input CPN model and for each 
local invariant in ipinv which contains places involved in the transition. For example, the 
tool generates 70 lemmas for the verification of the inductive invariant for the RF property 
on the Reader- Writer lock example. However, not all lemmas are generated if the decision 
procedure for CML returns satisfiable for one of them (which implies that (pmv is not an 
inductive invariant). The implemented decision procedure for CML is parameterized by the 
decision procedure for the logic of colors F0(C,r2,H). Actually, we generate lemmas in the 
SMTLIB format and we have an interface with most known SMT solvers. Therefore, we 
can allow as color logic any theory supported by the state of the art SMT solvers. 

Using this prototype, we modeled and verified several parameterized versions for mutual 
exclusion algorithms. The experimental results are given on Table [5j (The considered 
models of the Burns and Bakery algorithms use atomic global condition checks over all the 
processes, although our framework allows in principle the consideration of models where 
global conditions are checked using non atomic iterations over the set of processes.) For all 
these examples, the color logic is the difference logic over integers for which we have used 
the decision procedure of Yices |DdM06j . For each example. Table [5] gives the number of 
rules of the model, the number of conjuncts of the inductive invariant (in CNF), the number 
of lemmas generated for the SMT solver, and the global execution time. 

10. Conclusion 

We have presented a framework for reasoning about dynamic/parametric networks of 
processes manipulating data over infinite domains. We have provided generic models for 



28 



A. BOUAJJANI, C. DRAGOI, C. ENEA, Y. JURSKI, AND M. SIGHIREANU 



these systems and a logic allowing to specify their configurations, both being parametrized 
by a logic on the considered data domain. We have identified a fragment of this logic having 
a decidabic satisfiability problem and which is closed under post and pre image computation, 
and we have shown the application of these results in verification. 

Our framework allows to deal in a uniform way with all classes of systems manipulating 
infinite data domains with a decidable first-order theory. In this paper, we have consid- 
ered instantiations of this framework based on logics over integers or reals (which allows 
to consider systems with numerical variables). Difi"crcnt data domains can be considered 
in order to deal with other classes of systems such as multithreaded programs where each 
process (thread) has an unbounded stack (due to procedure calls). Our future work includes 
also the extension of our framework to other classes of systems and features such as dy- 
namic networks of timed processes, networks of processes with broadcast communication, 
interruptions and exception handling, etc. 
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